Norman SandBox Analyzer介绍和申请办法

一凡

Product descriptionOverviewThe Norman SandBox Analyzer is a utility meant to automate, simplify, and speed up the information gathering process when analyzing malware. The SandBox Analyzer enables users to analyze file behavior, actual actions performed by the file and even extracts files created on the "SandBox HD" by the analyzed file in a much faster and more effective way than ever before, thus reducing the need for manpower and actual time needed to analyze the suspicious files.
Norman SandBox Analyzer can be used as a command line application making it easier to be built into existing solutions, or with a regular user interface giving a fast and efficient view and management of files being analyzed.
How does it work?Norman SandBox Analyzer provides a comprehensive analysis of any executable file action. After the file has been processed it generates reports with in-depth description of file actions in an API log view and a summary report.
The summary report includes the following information blocks:

• File/Malware categories, i.e. W32/Backdoor, W32/Worm, W32/Downloader, etc.
• Changes to the computers file system.
• Changes in the registry and system settings.
• Network Services details
• Processor and window information

概要当分析malware时，诺曼底沙盒分析仪是被认为的公共事业自动化，简化和加速会集过程的信息。 沙盒分析仪使用户分析文件行为，文件进行的实际行动和甚而提取在“沙盒创造的文件HD”由被分析的文件在更加快速和有效方式，因而减少需要对于的人力和需要的实际时间分析可疑文件。 诺曼底沙盒分析仪可以使用作为命令行使它的应用更加容易修造入现有的解答，或者用给文件的快速和高效率的观点和管理的规则用户界面被分析。 它怎么运作？诺曼底沙盒分析仪提供对所有可执行文件行动的一个全面分析。 在文件被处理了之后它引起与文件行动的详细描述的报告在API日志视图和一个综合报告的。 综合报告包括以下信息块：
文件或Malware类别，即W32/Backdoor、W32/Worm、W32/Downloader等等 对计算机文件系统的变动。 在登记和系统设置上的变化。 网络服务细节 处理器和窗口信息

[ 本帖最后由 jeccci5 于 2008-4-16 20:03 编辑 ]

一凡

Norman SandBox Analyzer in more detailOperationTo operate Norman SandBox Analyzer is quite easy, just install the analyzer in a preferred folder on the computer you want to use for analysis. Tell Norman SandBox Analyzer the path of the file(s) you want to analyze and press enter. Depending on the parameter you have entered the output will be made available in just a few seconds. Parameters include possibility to create full API log, SandBox summary and extraction of all files created by the file analyzed from the SandBox “harddrive"
The SandBox Analyzer can also handle a large number of files, generating the requested information without the need of user intervention. As the virus unfolds, the proactive solution will monitor and assess the behavior of the suspicious file.
Norman SandBox is the core component of Norman SandBox Analyzer, this module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.In other words it is a fully simulated computer, isolated within the NSA application.
The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.
The file to be analyzed is loaded into the simulated hard disk and will be started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.
The issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine. After the file has done its acts, an API log and a summery rapport will be generated to give in clear text information about the files action.

较详细地诺曼底沙盒分析仪操作要操作诺曼底沙盒分析仪是相当容易，安装分析仪在一个首选的文件夹在您想要为分析使用的计算机。 告诉诺曼底沙盒分析仪您想要分析文件的道路并且按输入。 根据您进入了产品的参量仅在几秒钟内将使可利用。 参量包括可能性创造文件创造的所有文件的充分的API日志、沙盒总结和提取分析从“harddrive”的沙盒 沙盒分析仪可能也处理很大数量的文件，引起请求的信息，不用用户干预的需要。 因为病毒展开，前摄解答将监测并且估计可疑文件的行为。 诺曼底沙盒是诺曼底沙盒分析仪核心组分，这个模块是与Windows作用兼容例如胜利一击、仁和MPR并且支持网络，并且象HTTP、FTP、SMTP、域名服务器、IRC和P2P.的互联网作用换句话说它是一台充分地被模仿的计算机，被隔绝在NSA应用之内。 模拟器使用充分的ROM BIOS容量、被模仿的硬件、被模仿的硬盘等等。 这台模拟器看齐一个规则系统的整个引导在起动时间，起动通过装载操作系统的文件和命令解释程序从被模仿的驱动。 这驱动将包含是系统的必要的部分的目录和文件，符合在物理硬盘的系统文件。 将被分析的文件在被模仿的环境被装载入被模仿的硬盘，并且开始。 在被模仿的环境里面文件也许做什么它想要。 它可能传染文件。 它可能删除文件。 它可能复制自己在网络。 它可能连接到IRC服务器。 它可能送电子邮件。 它可能设定听的口岸。 它采取的每次行动由反病毒程序登记，因为它有效地是做根据在文件的代码的行动的仿真器。 代码在真正的CPU没有被执行除了抗病毒仿真器引擎; 甚而在被模仿的个人计算机的硬件看齐。 问题是推测什么节目将做，如果它在一个无保护的机器允许失去控制。 在文件做了它的行动之后， API日志和夏季的交往在关于文件行动的明码文本信息将引起给。

[ 本帖最后由 jeccci5 于 2008-4-16 20:03 编辑 ]

一凡

The reportThe Norman SandBox Analyzer summary is a description of the files behavior and action performed in the target victim’s object and elements setup to enable external communication.
This report is a subset of the API log that generates a detailed overview of the files action command by command.
Example of a NSA summary
reportThe诺曼底沙盒分析仪总结是文件在目标受害者的对象和元素设定和行动的描述进行的行为使能外部通讯。这个报告是由命令引起文件行动命令详细的概要API日志的一个子集。 NSA总结的例子

D:VIRUSMYTEST.EX_ : W32/Backdoor
====> Sandbox output:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (sample) : sample, te amo!.
* Display message box (KERN32) : KERN32, te amo!.
* File length: 58368 bytes.
* MD5 hash: 60a8d2e41147f48364e1eb3729ac53fb.

[ Changes to filesystem ]
* Deletes file C:WINDOWSSYSTEM32kern32.exe.
* Creates file C:WINDOWSSYSTEM32kern32.exe.

[ Changes to registry ]
* Creates key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".
* Sets value "kernel32"="C:WINDOWSSYSTEM32kern32.exe -sys" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".

[ Changes to system settings ]
* Creates WindowsHook monitoring keyboard activity.

[ Network services ]
* Connects to "200.223.3.130" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser[FRK][19].
* IRC: Uses username SErVERINO.
* IRC: Joins channel #Sl4cK_r0oT.

[ Process/window information ]
* Creates a mutex ZZM9H9YY.
* Creates a mutex SrVFrK.

This is a short example of an API logIf you look closely you will see that the API log is from the same file as the SandBox summary above.
这是您看您严密地看见API logIf的一个短的例子API日志是从文件和上面沙盒总结一样。

KERNEL32!CopyFileA ("C:WINDOWSSYSTEM32KERN32.EXE",
   "C:WINDOWSSYSTEM32kern32.exe",0x00000000)
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!CreateFileA ("C:WINDOWSSYSTEM32KERN32.EXE",0x80000000,
   0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!SetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe",0x00000006)
ADVAPI32!RegCreateKeyExA (0x80000002,"SoftwareMicrosoftWindows
   CurrentVersionRunOnce",0x00000000,NULL,0x00000000,0x000F003F,0x00000000,
   0x4FD01154,0x00000000)
ADVAPI32!RegSetValueExA (0x7200214B,"kernel32",0x00000000,0x00000001,
   "C:WINDOWSSYSTEM32kern32.exe -sys",0x00000023)
ADVAPI32!RegCloseKey (0x7200214B)
KERNEL32!CreateMutexA (0x00000000,0x00000000,"SrVFrK")
KERNEL32!GetLastError ()
KERNEL32!CreateThread (0x00000000,0x00000000,0x004027B9,0x74116F00,
   0x00000004,0x74116F00)

System requirements

• Pentium III or higher
• 512 Mb Ram or more
• At least 50 Mb free hard drive space
• Operating System: Windows 2000/2003 or XP.

More information - testing or purchasing the productClick here and fill in the form to purchase or test the product, or to request more information.
Click Norman SandBox Analyzer - Return on investment (ROI) calculator if you are interesting in calculating your savings compared to using analysts.
更多信息-测试或购买productClick这里和填写形式购买或测试产品，或者请求更多信息。点击诺曼底沙盒分析仪- (ROI)计算器的回收投资，如果您是有趣在计算您的储款与使用分析员比较。

[ 本帖最后由 jeccci5 于 2008-4-16 20:05 编辑 ]

一凡

有兴趣的可以到下面网址申请
http://www.norman.com/microsites/malwareanalyzer/Buy/en

hzqedison

你申请到了？可以分享一下下载？

一凡

填入内容，点提交

一凡

原帖由 hzqedison 于 2008-4-16 19:57 发表
你申请到了？可以分享一下下载？

在等官方答复，申请到了之后我会发上来

kuririn

慢慢等吧

一凡

不知道tulei饭友是否知道要等多久，管方才会发连接地址过来给下载

allinwonderi

支持